IN THIS CHAPTER
. Understanding the Exchange Server 2010 Server Roles . Understanding the Prerequisites for Exchange Server 2010 . Understanding High Availability and Site Resilience in Exchange Server 2010 . Exchange Server 2010 Hardware Requirements . Understanding the Active Directory Requirements for Exchange Server 2010 . Understanding Role Based Access Control . Planning Your Exchange Server 2010 Installation . Deploying Active Directory from Scratch . Preparing Your Environment for Exchange Server 2010 . Installing Exchange Server 2010 . Finalizing the Deployment
170
CHAPTER 7
171
For more information on the Client Access server role and details on how to install and configure the role, review Chapter 17, Implementing Client Access and Hub Transport Servers.
172
CHAPTER 7
NOTE
The Exchange Server 2010 management tools can be installed on a 64-bit edition of the Windows Server 2008 Service Pack 2 (or later) operating system, or on the Windows Vista Service Pack 2 (or later) operating system.
173
Windows PowerShell V2
Administrators who are familiar with Exchange Server 2007 have most likely had some experience with Windows PowerShell. For many, the implementation of PowerShell addressed one of the most glaring shortcomings of older Windows installationsthe lack of a usable command line interface for performing administrative tasks. PowerShell is an extensible command-line shell and scripting language from Microsoft that integrates with the .NET Framework to allow administrators to perform just about any task in an Exchange environment from a command line. From simple to complex, scripts can be written using the PowerShell scripting language to save administrators from time consuming and repetitive tasks. While some have found the PowerShell scripting language to be difficult to learn and challenging to implement, few who have seen the results of this product being put into action can complain about the results.
174
CHAPTER 7
Windows PowerShell V2 introduces several new features to PowerShell 1.0 that extend its capabilities including: . PowerShell RemotingAllows scripts and cmdlets to be executed on a remote machine, or several remote machines . Windows PowerShell Integrated Scripting Environment (ISE)GUI-based PowerShell host that provides an integrated debugger, syntax highlighting, tab completion, and up to eight PowerShell consoles. . Script DebuggingAllows breakpoints to be set in a PowerShell script or function. . EventingAllows listening, forwarding, and acting on management and system events. Windows PowerShell V2 can be downloaded and installed from the Internet, and instructions on how to do so are included later in this chapter.
175
Although these options were a significant improvement over previous technologies, organizations found that the technologies were challenging to implement, as they required a significant amount of time and experience to deploy. This was largely due to the fact that some parts of the technology were owned by the Windows operating system, and some parts were owned by Exchange Server. Exchange Server 2010 has built on these technologies and combined the on-site data replication features of CCR with the off-site data replication features of SCR. This combination of technologies is known as a database availability group (DAG). This architecture is designed to provide recovery from disk-level, server-level and site-level failures. A few characteristics of Mailbox Database copies follow: . Designed for mailbox databases only. Public folder replication is still the preferred method of redundancy and high availability for public folders. . Up to 16 copies of a mailbox database can be created on multiple servers. . Mailbox servers in a DAG can host other Exchange Server roles (Client Access, Hub Transport, and Unified Messaging). . Exchange Server 2010 mailbox databases can only be replicated to other Exchange Server 2010 servers within a DAG. You cannot replicate a database outside of the DAG, or to an Exchange Server 2007 server.
176
CHAPTER 7
Disk space
NOTE
These hardware requirements from Microsoft are the bare minimum and should not be used in best-practice scenarios. In addition, hardware requirements can change because of features and functionality required by the company, for example, the implementation of Unified Messaging voice mail services or clustering on an Exchange Server 2010 server can require more memory. See Chapter 34, Optimizing an Exchange Server 2010 Environment, for more tips and best practices on sizing the server for your environment.
177
If AD is already deployed, it is important that the team designing the Exchange Server infrastructure have a solid understanding of the existing AD environment. Organizations with an AD infrastructure already in place need to evaluate how Exchange Server can fit into their environment. If AD has not been deployed, the organization or team designing Exchange Server needs to plan their implementation with a thought as to what their messaging infrastructure will look like. This section is designed to give a basic understanding of the AD infrastructure required to support an Exchange Server 2010 implementation. Many facets are involved when planning a production AD infrastructureforest model, domain model, group policies, and delegation of administration to name a few, and the information needed to design an AD infrastructure from end to end is beyond the scope of this book. Some of the AD factors that should be considered when deploying Exchange Server 2010 include the following: . Global Catalog Server Placement . AD Sites and Services . Forest and Domain Functional Levels . Flexible Single Master Operations Role Placement . Permissions Needed to Install Exchange . Bandwidth and Latency in the Network
NOTE
For in-depth guidance on designing, implementing, and maintaining an AD infrastructure, refer to Windows Server 2003 Unleashed, R2 Edition, by Sams Publishing (ISBN: 0672-32898-4), or Windows Server 2008 Unleashed, by Sams Publishing (ISBN: 0-672-32930-1).
178
CHAPTER 7
179
an environment, new functionalities are enabled. By maintaining an older functional level, interoperability with older domain controllers is supported. Forest Functional Levels Windows Server 2003 supports three forest functional levels: . Windows 2000 NativeRequired while any Windows Server 2000 domain controllers remain in your forest. Supports domain controllers running Windows NT 4.0, Windows 2000 server, and Windows Server 2003. . Windows Server 2003 InterimA special functional level only implemented during NT 4.0 to Windows 2003 upgrades. . Windows Server 2003All DCs in the forest must be running Windows Server 2003, and all domains in the forest must be at the Windows 2003 Domain functional level before you can raise your forest functional level to Windows Server 2003. Windows Server 2008 supports three forest functional levels: . Windows 2000 NativeSupports Windows 2000, Windows Server 2003, and Windows Server 2008 domain controllers. . Windows Server 2003Allows for a mix of Windows Server 2003 and Windows Server 2008 functional level domains. . Windows Server 2008Ensures all domain controllers in the forest are running Windows Server 2008 and all domains have been raised to the Windows Server 2008 domain functional level.
NOTE
To install Exchange Server 2010, the Active Directory forest functional level MUST be Windows Server 2003 or higher. Windows 2000 Native and Windows Server 2003 Interim modes are NOT supported.
Domain Functional Levels Windows Server 2003 supports four domain functional levels: . Windows 2000 MixedAllows Windows Server 2003 domain controllers to interoperate with other domain controllers running Windows Server 2003, Windows 2000 Server, and Windows NT 4.0. . Windows 2000 NativeAllows domain controllers running Windows Server 2003 to interact with domain controllers running either Windows Server 2003 or Windows 2000 Server. . Windows Server 2003 InterimSupports only domain controllers running Windows Server 2003 and Windows NT 4.0. . Windows Server 2003Supports only Windows Server 2003 domain controllers.
180
CHAPTER 7
Windows Server 2008 supports three domain functional levels: . Windows 2000 NativeAllows domain controllers running Windows Server 2008 to interact with domain controllers running either Windows Server 2008, Windows Server 2003, or Windows 2000 Server. . Windows Server 2003Supports an environment comprised of a mixture of Windows Server 2003 and Windows Server 2008 domain controllers. . Windows Server 2008Only available after all domain controllers in a domain are running Windows Server 2008.
NOTE
To install Exchange Server 2010, the Active Directory domain functional level MUST be Windows Server 2003 or higher for each domain in the Active Directory forest that will house an Exchange Server 2010 server. Windows 2000 Mixed, Windows 2000 Native, and Windows Server 2003 Interim modes are NOT supported.
181
immediately after a password change instead of having to wait for that change to replicate throughout the active directory. . Infrastructure MasterMaintains security identifiers, GUIDs, and DNS for objects referenced across domains. This role is also responsible for ensuring that crossdomain group-to-user references are correctly maintained. When designing the FSMO role placement of an Active Directory environment, the following best practices should be considered: . If a domain has only one domain controller, that domain controller holds all the domain roles. However, this configuration is not recommended (even for smaller organizations), as it creates a single point of failure. . The Schema Master and Domain Naming Master should be placed on the same domain controller in the root or placeholder domain. This server can (and should) also be configured as a global catalog server. . Place the RID and PDC emulator roles on the same domain controller. If the load on this server justifies separating the roles, place them on domain controllers in the same domain and AD site and ensure the two domain controllers are direct replication partners of each other. . As a general rule, the infrastructure master should be deployed on a domain controller that is NOT also a global catalog server. This domain controller should have a direct connection to a GC server, preferably in the same Active Directory site. Global catalog servers hold a partial replica of every object in the forest and the infrastructure master, when placed on a global catalog server, will never update anything as it does not contain any references to objects that it does not hold. There are two exceptions to this rule: 1. Single domain forest: In a forest with a single AD domain, there are no phantoms and the infrastructure master has no work to do. In this case, the infrastructure master can be placed on any domain, including those that are also global catalog servers. 2. Multidomain forests where every domain controller is a global catalog server. When every domain controller in a domain that is part of a multidomain forest is configured as a global catalog server, there are no phantoms or work for the infrastructure master to do. The infrastructure master can be placed on any domain controller in the domain.
NOTE
As stated by Microsoft, to install Exchange Server 2010, the Schema master should have the latest 32-bit or 64-bit edition of the Windows Server 2003 Standard or Enterprise operating system or the latest 32-bit or 64-bit edition of the Windows Server 2008 Standard or Enterprise operating system.
182
CHAPTER 7
Additionally, in each Active Directory site where you plan to install Exchange Server 2010, you must have at least one Global Catalog server that meets the same criteria.
Understanding How DNS and AD Namespace Are Used in Exchange Server 2010
The first step in the actual design of the AD structure is the decision on a common domain name system (DNS) namespace that AD will occupy. AD revolves around (and is inseparable from) DNS and this decision is one of the most important ones to make. The namespace chosen can be as straightforward as companyabc.com, for example, or it can be more complex. Multiple factors must be considered, however, before this decision can be made. Is it better to register an AD namespace on the Internet and potentially expose it to intruders, or is it better to choose an unregistered, internal namespace? Is it necessary to tie in multiple namespaces into the same forest? These and other questions must be answered before the design process can proceed.
183
Forest
companyabc.com
placeholder.internal
The placeholder domain structure increases security in the forest by segregating high-level schema-access accounts into a completely separate domain from the regular user domain. Access to the placeholder domain can be audited and restricted to maintain tighter control on the critical schema. The downside to this model, however, is the fact that the additional domain requires a separate set of domain controllers, which increases the infrastructure costs of the environment. Smaller organizations may have a difficult time justifying the extra infrastructure costs to provide the increased security, but whenever the budget allows, this model should definitely be considered.
184
CHAPTER 7
Active Directory Sites The basic unit of AD replication is known as the site. Not to be confused with physical sites or Exchange Server 5.5 sites, the AD site is simply a group of domain controllers connected by high-speed network connections. Each site is established to more effectively replicate directory information across the network. In a nutshell, domain controllers within a single site will, by default, replicate more often than those that exist in other sites. The concept of the site constitutes the centerpiece of replication design in AD. Associating Subnets with Sites In most cases, a separate instance of a site in AD physically resides on a separate subnet from other sites. This idea stems from the concept that the site topology most often mimics, or should mimic, the physical network infrastructure of an environment. In AD, sites are associated with their respective subnets to allow for the intelligent assignment of users to their respective domain controllers. For example, consider the design shown in Figure 7.2.
SITE 01 192.168.115.0/24
SITE 02 192.168.116.0/24
Server-EX01 192.168.115.10
Server-DC01 192.168.115.5
Server-EX02 192.168.116.10
Server-DC02 192.168.116.5
Client 01 192.168.116.45
185
A site link is essentially a connection that joins together two sites and allows for replication traffic to flow from one site to another. Multiple site links can be set up and should normally follow the wide area network (WAN) lines of your organization. Multiple site links also assure redundancy so that if one link goes down, replication traffic has an alternate path. Site link replication schedules can be modified to fit the requirements of your organization. If, for example, the WAN link is saturated during the day, a schedule can be established to replicate information at night. This functionality allows you to easily adjust site links to the needs of any WAN design. Exchange Server 2010 and Site Membership After the AD site topology has been created, including adding the appropriate subnets to sites and creating site links between sites, an administrator can now take Exchange Server placement into consideration. Similar to AD domain controllers, Exchange Server 2010 servers will be associated with sites in AD based on their IP address and subnet mask. As stated earlier, there should be at least one domain controller/global catalog server residing in each site that an Exchange Server 2010 server will be in. For more information on creating an Exchange Server routing topology, refer to Chapter 4, Architecting an Enterprise-Level Exchange Server Environment.
NOTE
If an AD infrastructure already exists prior to the design of the Exchange Server 2010 environment, there might be a need to make changes to the AD routing topology to support the Exchange routing requirements.
186
CHAPTER 7
Directory database in memory. To confirm the size of your Active Directory database, look at the size of the %WINDIR%\NTDS\NTDS.DIT file. For optimization, plan on having a global catalog server close to the clients to provide efficient address list access. Making all domain controller servers global catalog servers is recommended for an organization that has a single AD domain model and a single site. Otherwise, for multidomain models, all domain controllers can be configured as global catalog servers except for the domain controller hosting the Infrastructure Master FSMO role.
NOTE
It is a best practice to have a minimum of at least two global catalog servers within an AD infrastructure.
187
Role Based Access Control is not used on Edge Transport servers, as these servers are designed to sit outside the domain. Exchange Server 2010 provides several built-in management roles that cannot be modified, nor can the management role entries configured on them. However, the scope of the built-in management roles can be modified. The following built-in management roles are included by default in Exchange Server 2010: . Organization ManagementAdministrators assigned to this role have administrative access to the entire Exchange Server 2010 organization, and can perform almost any task against any Exchange Server 2010 object. Even if a task can only be completed by another role, members of the Organization Management role have the ability to add themselves to any other role. As this role is very powerful, it is recommended that it only be assigned to users who are responsible for organizational level administration. Changes made by this role can potentially impact the entire Exchange organization. . View Only Organization ManagementThis role is the equivalent to the Exchange View-Only Administrator role in Exchange Server 2007. Members of this role can view the properties of any object in the Exchange organization, but cannot modify the properties of any object. Useful for personnel who need to be able to view the configuration of objects within the environment, but who do not need the ability to add new or modify existing objects. . Recipient ManagementAdministrators assigned to this role have the ability to create, modify, or delete Exchange Server 2010 recipients within the organization. . Records ManagementAdministrators assigned to this role have the ability to configure compliance features, including transport rules, message classifications, retention policy tags, and others. Often assigned to administrators or members of an organizations legal department who need the ability to view and modify compliance features in an organization. . GAL Synchronization ManagementAdministrators assigned to this role have the ability to configure global address list (GAL) synchronization between organizations. Other built-in management roles include the Unified Messaging Management, Unified Messaging Recipient Management, Unified Messaging Prompt Management, and Discovery Management.
NOTE
Membership in the Organization Management Role should be limited to personnel who have advanced knowledge of the Exchange Server operating system and your particular network environment.
188
CHAPTER 7
189
. Testing failover and recovery . Selecting to install on physical hardware or virtual machines Much of the validation and testing should occur during the testing process. It is much easier, for example, to test a disaster recovery rebuild of Exchange Server in an exclusive test environment than it is to do so in a production environment, where production servers or users could accidentally be impacted. Additionally, testing application compatibility in a lab environment can be much more effective than attempting to do so in a production environment, where you might suddenly find business critical third-party fax, voice mail, or paging software non functional. Other items to test and confirm in your lab environment include: . Sites and Services ConfigurationEnsure replication is completed as expected . Role Based Access ControlEnsure the proposed security settings allow proper user and administrative access Building an Exchange Server 2007 prototype test lab can be a costly affair for companies that want to simulate a large, global implementation. For companies with a global presence where it is necessary to provide messaging services for thousands of employees, in multiple sites throughout the world, mirroring their production site can prove a daunting task. However, without successfully prototyping the installation, upgrade strategy, and application compatibility before they move forward in production, they cannot be assured that the deployment will go smoothly. The cost of building a lab of this magnitude using physical servers can be prohibitive; there can be AD domain controllers, Exchange 2003 and 2007 servers, and application servers. The cost of building the lab could eat up a large part of the overall budget allocated to the project. However, with the improvements in server virtualization, companies can significantly lower the costs associated with the prototype phase. Server virtualization enables multiple virtual operating systems to run on a single physical machine, while remaining logically distinct with consistent hardware profiles. For further cost savings, the hardware utilized for the virtual lab can be purchased with an eye toward re-utilization in the production environment once the prototype phase is complete.
190
CHAPTER 7
191
7. Select Custom (advanced) to install a clean copy of Windows. 8. Select the physical disk on which Windows will be installed and click Next to continue. The server will begin the installation process, rebooting several times during the process. 1. A default account called Administrator will be created, but you will have to set the password for this account. When prompted The Users Password Must Be Changed Before Logging on the First Time, click OK to continue. 2. Enter the new password for the Administrator account in both the New password and Confirm password fields, and then press Enter. When prompted Your password has been changed, click OK. Once the installation process has completed and the server reboots, there will be an Initial Configuration Tasks screen. Perform the steps in the Provide Computer Information section as follows:
Set Time Zone 1. Click Set Time Zone. On the Date and Time tab, review the current Date, Time, and Time zone settings and configure them as needed. 2. If desired, up to two additional clocks can be configured for additional time zones with customized display names. If you wish to display more than one clock, select the Additional Clocks tab and configure them. 3. By default, Windows Server 2008 servers are configured to automatically synchronize with time.windows.com. The server is configured to synchronize once a week. If you need to change the source of your time updates, you can click the Internet Time tab. 4. Click OK to return to the Install Configuration Tasks screen.
Configure Networking Windows Server 2008 has a completely redesigned implementation of the TCP/IP protocol stack which is known as the Next Generation TCP/IP stack. This updated functionality applies to both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). 1. Click Configure networking, double-click the Local Area Network Connection icon, and then click the Properties tab. 2. Double-click the Internet Protocol Version 4 (TCP/IPv4) option and configure an appropriate IP address, Subnet mask, Default gateway, and preferred DNS server for your environment. 3. Click OK to save your changes. 4. Perform the same steps to configure the Internet Protocol Version 6 (TCP/IPv6). 5. Save all settings and exit the Network Connections utility. 6. Launch Internet Explorer and confirm internet connectivity. Adjust your network settings if necessary to allow the computer access to the Internet.
192
CHAPTER 7
Provide Computer Name and Domain Each computer on a Windows network and in Active Directory must have a unique computer name. This name, known as the NetBIOS name, allows users, resources, and other computers to contact this computer on the network. A standard NetBIOS name is limited to 15 characters and should only consist of letters (AZ, a-z), digits (0-9), and hyphens (-). For example, weinhardt-dc is a standard computer name, but weinhardt_dc is nonstandard. Although the implementation of a DNS server will allow you to use nonstandard computer names and still find the resources in your environment, servers as critical as domain controllers and Exchange servers should only use standard computer names. 1. Click Provide Computer Name and Domain. If you have already closed your Initial Configuration Tasks screen, you can click Start, right-click Computer, select Properties; then, beside Computer Name, Domain, and Workgroup Settings, click Change Settings. 2. On the Computer Name tab, click Change. 3. Under Computer name, enter the computer name for this machine; then click OK to continue. 4. Acknowledge that you must restart your computer to apply these changes by clicking OK, and then click Close. 5. When prompted You Must Restart Your Computer, click Restart Now. Enable Automatic Updating and Feedback Windows Server allows you the option of automatically applying updates as they are released from Microsoft. While this option may be a good idea for some applications, most organizations require change control procedures before updating servers as business critical as domain controllers and Exchange servers. 1. Click on Enable Automatic Updating and Feedback. Although the first option, Enable Windows Automatic Updating and Feedback, states that it is recommended, in this authors opinion, that setting is NOT recommended for domain controllers or Exchange servers. Instead, click on Manually Configure Settings. 2. Under Windows Automatic Updating, click Change Setting. Set the automatic updates according to your organizations policies. The author recommends selecting either Download Updates but Let Me Choose Whether to Install Them or Check for Updates but Let Me Choose Whether to Download and Install Them. Additionally, the author recommends Include Recommended Updates When Downloading, Installing, or Notifying Me about Updates, as shown in Figure 7.3. 3. When ready, click OK to continue. 4. Review the Windows Error Reporting and Customer Experience Improvement Program settings. The author recommends the default settings, as shown in Figure 7.4. When finished, click Close to continue. 5. Click Download and Install Updates; if prompted to Install new Windows Update Software, click Install Now. As part of the installation process, the Windows Updates application will automatically close and reopen and begin checking for updates.
193
FIGURE 7.4 Configuring Windows Error Reporting and Customer Experience Improvement
Program.
194
CHAPTER 7
6. At this point, you can either click View Available Updates and select which ones to install or simply click Install Updates to automatically download and install all available updates. 7. Accept any license agreements and click Finish to begin installing available updates. Monitor the installation, as you may have additional prompts from the installation process. When finished, if a restart is required, click Restart Now. 8. When the server has rebooted, log on again and return to the Download and Install Updates section. 9. Click the option to Get Updates for More Products. 10. From the Microsoft Update site, place a check mark in the I Accept the Terms of Use box and click Next. 11. Select Use Current Settings and click Install; then on the User Account Control window, click Continue. 12. When complete, your server now checks for updates for all Microsoft products on the server (such as Exchange Server), and not just for the standard Windows updates. Close all windows to finish. This concludes the installation of the Base operating system for both the Domain Controller and the Exchange Server 2010 server.
NOTE
There are many improvements in the Active Directory Domain Services Installation Wizard in Windows Server 2008. While all of these improvements are available by default, some of the wizard pages will appear only if the administrator selects Use Advanced Mode Installation. Advanced mode installation can also be selected by running the DCPROMO command with the /ADV switch (dcpromo /adv).
3. On the Operating System Compatibility screen, read the information and then click Next.
195
4. At the Choose a Deployment Configuration screen, for our purposes, we select Create a New Domain in a New Forest and click Next. Other available options enable you to modify an existing forest by adding a new domain controller in a new or existing domain. 5. Enter the fully qualified domain name (FQDN) of the Forest Root Domain and click Next. For our example, we use companyabc.lab. 6. Enter the Domain NetBIOS name. A default name is suggested for you, derived from the Forest Root Domain name in the previous step. In our example, the suggested domain name is COMPANYABC. When you have the domain name entered, click Next. 7. Set the Forest Functional Level. For our purposes, we cannot set the level to Windows 2000, as Exchange Server 2010 requires at least Windows Server 2003 or higher. If you are certain your environment will not contain any Windows Server 2003 domain controllers in the future, you can set it to Windows Server 2008. For our test installation, we select Windows Server 2003 and click Next to continue. 8. Set the Domain Functional Level. As above, we will select Windows Server 2003 and click Next. 9. Microsoft recommends that you install DNS server on the first domain controller, and requires that this server be a Global Catalog. Leave the default settings and click Next to continue. Electing to install Microsoft DNS on the new domain controller will also modify the servers TCP/IP properties to use the new DNS installation for name resolution. 10. If your computer has any IP addresses (either IPv4 or IPv6) that are assigned by a DHCP server, you will receive a notice that static IP addresses should be assigned to all network adapters. Check your IP settings and continue when ready. 11. If no authoritative parent DNS zone exists, you receive the warning shown in Figure 7.5.
In our example, we are not integrating with an existing DNS infrastructure, so we will simply click Yes to continue.
196
CHAPTER 7
12. Depending on your server configuration design, select the location where the AD databases will be located. Using the Browse buttons, select the locations for your Database, Log files, and SYSVOL folders. When ready, click Next.
NOTE
When configuring AD database locations, make sure that your server hardware configuration plan takes recoverability and performance into account. For best performance, install the AD databases on a separate hard disk than the server operating system and server page file. For best recoverability, use disk fault tolerance such as RAID or disk mirroring for the AD databases.
13. Assign a password to the Directory Services Restore Mode Administrator account. This account is used in the event that you have to start the domain controller in Directory Services Restore Mode. This password should be a strong password, containing a combination of upper and lower-case letters, numbers, and special characters. The password should be documented and stored in a secure location. Enter the Directory Services Restore Mode Administrator password and click Next. 14. Review the selections you have made. In the future, when creating additional domain controllers that will be similar to one another, you can export the settings to an answer file that you can use for future unattended installations. If you need to make any changes, use the Back button to go to the section you want to change, then use the Next button to return to the review screen. When ready, click Next to continue. 15. The installation wizard now installs DNS and the Active Directory Domain Services. When the installation has completed, click Finish to close the wizard, and then click Restart Now to restart the server. When the server has rebooted, log on to the new domain. Your default administrator account will now be a domain administrator, and the password is the same. Take the time to review the servers Event Viewer application and system logs to identify any errors or potential problems with your installation before continuing.
197
Changing Site Properties To change the AD Default-First-Site-Name, follow these steps: 1. On the domain controller, select Start\Administrative Tools\Active Directory Sites and Services. 2. Click the plus sign (+) to expand the Sites tree. 3. Right-click Default-First-Site-Name in the left pane of the console, and then click Rename. 4. Enter a name, and then press Enter, which changes the default site name to your custom site name. In our sample lab, we will choose FredericksburgVA. Creating a New Active Directory Site To create a new site in AD, follow these steps: 1. On the domain controller, open AD Sites and Services. 2. Click the plus sign (+) to expand the Sites tree. 3. Right-click Sites in the left pane of the console, and then click New and Site. 4. Enter the new site name in the New Object-Site dialog box. In this example, SunnyvaleCA was used for the new site name. 5. Click to highlight DEFAULTIPSITELINK, and then click OK. 6. Review the Active Directory Domain Services message box (shown in Figure 7.6) and ensure the configuration was successful, and then click OK.
198
CHAPTER 7
4. Enter the address prefix using network prefix notation. This requires the address and the prefix length, where the prefix length shows the number of fixed bits in the subnet. The example shown in Figure 7.7 uses the 192.168.80.0/24 subnet, providing us with a Class C (255.255.255.0) subnet. Next, select a site to associate with the subnet and click OK.
199
4. Right-click the NTDS Settings object, and then click Properties. 5. On the General Tab, ensure the Global Catalog check box is marked if you want the server to be a global catalog server (as illustrated in Figure 7.8). When ready, click OK.
200
CHAPTER 7
201
domain\administrator, where domain is the name of your domain, and administrator is the administrative account for that domain.
202
CHAPTER 7
8. When the Confirm Transfer Request box appears, browse to the location where you would like to store your prerequisite installation files. (Note: The browse feature does not allow you to create new folders, so if you are going to want to create a new folder for the storage of these files, do so in Explorer before trying to browse.) When you have selected the location, click Transfer. 9. Once the file has finished downloading, click Close. You can then go to the directory where you stored the download. Double-click the WinRM on Vista and WS08 (x64) Directory; then double-click the installation file. When prompted to Click OK to Install do so. 10. Accept the license terms by clicking I Accept. 11. Once completed, click Restart Now. Installing Windows PowerShell v2 1. Log on to the workstation with your domain administrative account. 2. Insert the Exchange Server 2010 CD and allow Autorun to start the Microsoft Exchange Server 2010 Setup Wizard. You can also start the Wizard from a command prompt by typing d:\setup (assuming d:\ contains your E2010 installation media). 3. Select Step 3: Install Windows PowerShell v2. 4. From the download page for Windows PowerShell V2, locate the download files and click Download next to the PowerShell_Setup_amd64.msi file. 5. Click Run to run the file directly from the download page. If you receive a security warning, click Run again. 6. From the Windows PowerShell Setup Wizard, click Next. 7. On the License Agreement page, click I Accept the Terms in the License Agreement, then click Next, and then click Install. 8. Click Finish when complete and close the Internet Explorer window. Installing the 2007 Office System Converter: Microsoft Filter Pack This section is required only for Exchange Server 2010 servers that have the Mailbox role installed on them. 1. Log on to the workstation with your domain administrative account. 2. Open Internet Explorer and go to www.microsoft.com/downloads. Search for 2007 Office Converter Microsoft Filter Pack. Select the Microsoft Filter Pack from the available options. 3. Make sure you are on the 2007 Office System Converter: Microsoft Filter Pack page. Scroll down and click Download for the FilterPackx64.exe file. When prompted, click Run. 4. From the Welcome screen, click Next. 5. From the End-User License Agreement screen, click I Accept the Terms in the Licensing Agreement and click Next. 6. When complete, click OK to exit the installation.
203
Installing the Active Directory Services Remote Management Tools These steps will allow an administrator to perform the Schema and Domain prep commands from your Windows Server 2008 server. 1. Open an administrator-enabled command prompt. Right-click Command Prompt and select Run as Administrator. 2. Run the following command:
ServerManagerCmd i RSAT-ADDS
The progress of this command will sit at the <10/100> prompt for awhilebe patient and let it finish. Upon completion, you see two Warnings in yellow stating You Must Restart This Server to Finish the Installation. 3. After you have successfully installed the Role Administration Tools and the Active Directory Domain Services Tools, reboot the server as instructed.
NOTE
Simply running the ServerManagerCmd command above from a normal command prompt will result in a frustrating and poorly documented error: WriteError: Failed to write the log file: Access to the path C:\Windows\logs\ServerManager.log is denied. The need to do this is the result of a newly added security component found in both Windows Server 2008 and Windows Vista that is known as User Access Control or UAC. UAC allows administrators to enter their credentials while in a non-administrators user session to accomplish administrative tasks without having to switch users, log off, or utilize the run as command. UAC also utilized the Admin Approval Mode (AAM) for all accounts except the built-in Administrator account in Windows Server 2008. AAM is designed to prevent malicious applications from installing without the knowledge of the logged on user. AAM allows administrators to log on and receive a split user access tokenthe administrator receives both a full access token and a filtered access token. The filtered access token is used to start Explorer.exe (the process that creates the users desktop). All applications started by the Explorer.exe process inherit this filtered access token. In shortwith UAC enabled, administrators may have to confirm the installation of some applications or system changes, even when logged in with elevated privileges.
204
CHAPTER 7
Preparing the Schema 1. From the Exchange server, log on with your administrative account. This account must be a member of the Schema Administrators and Enterprise Administrators groups. 2. Copy the contents of your Exchange Server 2010 installation media to a directory on a local drive, such as c:\E2k10Install. 3. From an administrator-enabled command prompt, change to the drive and directory that holds your Exchange Server 2010 installation media and run the following command:
Setup /PrepareSchema or Setup /ps
NOTE
Depending on how you obtain the media for Exchange Server 2010, you may need to copy the installation media to a local drive and run the setup from that local drive. If you do not, your installation may result in the following error: An error occurred while copying the file d:\\en\Setup\ServerRoles\Common \en\Details Templates Editor.msc. The error code was 5. If you did not copy the installation media locally and you receive this error, delete the contents of the c:\%windir%\temp file, copy the media locally, and run the command again.
4. When completed, the screen should look like the one in Figure 7.9.
205
2. From an administrator-enabled command prompt, change to the drive and directory that holds your Exchange Server 2010 installation media and run the following command:
Setup /PrepareAD /OrganizationName:SG or Setup /p /on:SG
where SG is the Organization Name for your environment. In our lab, we are using TestLab as the Organization Name, so the command will look like this:
Setup /PrepareAD /OrganizationName:TestLab
3. When completed, the screen should look like the one in Figure 7.10.
4. When finished, leave your Command Prompt window open and continue with the next section.
206
CHAPTER 7
-i -i -i -i -I
To install these roles, perform the following steps: 1. Log on with your domain administrator account. From an administrator-enabled Command Prompt, run each of the commands above or, alternately, run the combined command as shown here:
ServerManagerCmd I Web-Server Web-ISAPI-Ext Web-Metabase Web-LgcyMgmt-Console Web-Basic-Auth Web-Digest-Auth Web-Windows-Auth Web-Dyn -Compression NET-HTTP-Activation RPC-over-HTTP-proxy Restart
Note the addition of the Restart at the end of the command to ensure the server does not try to restart between component installations. When complete, you should see Success: Installation Successful. 2. Reboot the server upon completion.
207
5. From the License Agreement screen, select I Accept the Terms in the License Agreement and click Next to continue. 6. On the Error Reporting screen, select whether you want to report installation errors to Microsoft. The default is No. Click Next to continue. 7. On the Installation Type screen, if you are installing specific roles, select Custom Exchange Server Installation. In our test environment, we are installing the Hub Transport, Client Access, and Mailbox server roles (as well as the Exchange Management Tools), so we select Typical Exchange Server Installation. Additionally, if you are not installing the Exchange Server application to the default location, click Browse to select the installation directory. When ready, click Next to continue. 8. On the Client Settings screen, if you have clients running either Outlook 2003 (or earlier) or Entourage, select Yes. Otherwise, select No. Selecting Yes creates a public folder database during the installation to support these clients. If No is selected, a public folder database can be created manually any time after the installation completes. When ready, click Next to continue. 9. The Configure Client Access Server External Domain screen is a new addition to the Exchange Installation Wizard (see Figure 7.11). If your client access server will be Internet facing, you can place a check in the box and enter the domain name that you will use (for example, mailservices.domain.com). If your client access server is NOT going to be Internet facing, leave this box unchecked. Click Next to continue.
FIGURE 7.11 The New Configure Client Access Server External Domain screen.
208
CHAPTER 7
10. On the Customer Experience Improvement Program screen, elect whether you want to join the Exchange Customer Experience Improvement Program. Make your selection and click Next to continue. 11. On the Readiness Checks screen, wait while the Install Wizard goes through the prerequisites for each of the selected roles. There may be hotfixes required for the roles being installedif so, they will be identified as errors in the Readiness Check. Take the recommended actions to resolve them. When all readiness checks show as Completed, click Install to continue. 12. On the Completion screen, review the results of the installation. Ideally, you should see Successfully Installed. No Errors, as shown in Figure 7.12. When ready, uncheck the option to Finalize This Installation Using the Exchange Management Console and click Finish.
209
The optional parameters cover all of the various configuration possibilities, including the organization name, target directory, source directory, default database name, and others. All optional parameters can be viewed from the command line by typing:
Setup.com /help:install
210
CHAPTER 7
The log files contain all the details pertaining to the installation of the Exchange server throughout the process.
Summary
The installation of Exchange Server 2010 is a relatively simple process, thanks to the Exchange Server Installation Wizard. However, the key to a successful deployment is proper planningadministrators should know exactly what they are deploying before they begin, and the plan should be confirmed in a test environment before deployment. A solid understanding of the prerequisites, testing the installation process, and carefully following the installation steps confirmed during the testing phase are critical to a smooth and error-free deployment.
Best Practices
211
Best Practices
The following are best practices from this chapter: . Carefully review and complete all prerequisites before attempting to install Exchange Server 2010. The trial and error method is time consuming and frustrating. Proper planning before execution will greatly increase the chance of an errorfree installation. . For email messages to flow, you MUST install both the Mailbox server role and the Hub Transport server role in each Active Directory site that will house a mailbox server. . You must install a client access server in each AD site that has a mailbox server. . Use virtual servers when creating a test lab to simulate large production implementations and to minimize hardware costs. . For small organizations, it is possible to install the Mailbox, Client Access, and Hub Transport roles all on the same server. . Before installing Exchange Server 2007 into a production environment, it is beneficial to prototype the design in a test environment. . To install Exchange Server 2010, the Active Directory forest functional level MUST be Windows Server 2003 or higher.